8 Steps to Stronger Information Risk Management

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://ww2.cfo.com/data-security/2015/04/8-steps-stronger-information-risk-management/

Believe me, I know how hard it is to get funding to strengthen your
information risk management program.  Ask pretty much any CEO to find the
time to talk about risk management (much less formalize a risk management
program) and you’re likely to get an eye roll.

Less than half (45%) of the 103 U.S. CEOs surveyed by PwC in 2015 are
“extremely concerned” over cyber threats (including lack of data security)
even while they are investing more and more in technology to ensure better
business performance.

Their investment interests are in innovating and accelerating the impact of
technology for their customers, not so much in protecting the data itself.

Your compliance and security teams may be approaching you, as the CFO, to
be their advocate in obtaining the funds needed to set up or strengthen
your information security or compliance programs.  CFOs have historically
been risk-averse by nature, focusing on protection of the business and the
bottom line. But in the world we are now facing, CFOs will be expected to
bring innovative ideas to the table to help their companies remain
competitive.

How can a CFO balance the risk/reward equation in a manner that will make a
CEO take interest in risk management decisions?  You have to bring the
facts into focus. Information risk management involves eight steps, none of
which are quick or easy, especially the first time they’re taken.

The first step is to identify all the assets that contain or transmit the
information you are trying to protect. It may be PII (personal
identification information), PHI (protected health information), PCI
(payment card information), or any other proprietary or sensitive
information important to the business. Those information assets include not
only applications but the “media” that contains those applications, such as
servers, back-up tapes, desk tops, laptops, and thumb drives.

This step requires the identification of threats to those assets. There are
typically four categories for threats:  environmental (floods, lightning,
fires), structural (infrastructure or software failure), accidental
(uninformed or careless users), and adversarial (hackers, malicious
insiders).

The next step is to identify the vulnerabilities of those assets. For
example, no data backup, no encryption, weak passwords, no remote wipe, no
surge protection, no training, no access management, no firewalls, no
business continuity plans.

If you don’t have all three things – assets, threats and vulnerabilities –
then there is no risk to your information.  Making informed decisions on
risk treatment involves listing all combinations of assets, threats to
those assets, and the vulnerabilities that may be exploited.  Once that
inventory is complete, the hard work begins:

Now you must determine the likelihood of each threat exploiting every
vulnerability. What makes this step particularly hard (in addition to the
volume) is the lack of specific data to support a calculable percentage of
likelihood.  Some organizations use a simple high/medium/low ranking. But
there are many metrics for assessing likelihood, including industry breach
statistics, data-type breach statistics, data loss statistics by cause,
industry complaint statistics, the breach and/or complaint history of your
own organization, and the details of any security or privacy incidents.

This step is about determining the impact on your organization if that bad
thing happens. There are many methods for determining the impact, the
easiest being the $200 per breached record as annually determined by the
Ponemon Research Institute, or calculating the cost more specifically for
your organization using the free Excel model on the ANSI website which
provides values for a variety of cost variables involved in a breach.
Basically the costs include: remediation (the cost of the control/safeguard
that should have been put in before the breach) plus mitigation,
remuneration, legal costs, fines or penalties, business distraction, and
reputational costs.

At this point, you generate a risk-rating list, with high likelihood/high
impact risks at the top, low likelihood/low impact risks at the bottom, and
everything else in between.

You must then find solutions and determine costs for all risks that have
scored above the organization’s risk tolerance line.

The final step is one in which you reach a decision on the risk treatment.
Let’s take, for example, lost or stolen laptops as the risk, which
represents about 20% of the health-care breaches listed on the Health and
Human Services websites. An unencrypted laptop used in the field could be
considered high risk, depending on what safeguards (other than encryption)
are in place.  The risk can be accepted, transferred (for example,
outsourced to clinician group firms), avoided (no more laptops in the
field), or mitigated (extra-strong passwords, remote wipe, tracking
software, and so on).

As CFO, you know the risk appetite of the C-suite and the limitations of
the budgets. Make sure the investments being recommended are in line with
your organization’s strategy and operational needs. It’s important to
either establish or strengthen an internal risk management governance
council to guide decision-making.

The eight steps outlined here are rigorous, but that’s only the beginning.
Your organization has to constantly reevaluate the many risks it faces. It
takes time, energy and commitment – but that ongoing vigilance has its
rewards: helping you avoid the staggering costs and reputational damage
stemming from a data breach.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!